As an IT or cybersecurity professional or even if you are a vendor (sorry I meant solution provider) who is climbing the organizational ladder (or just trying to stay employed), sooner or later you will cross paths with the audit committee - whether appearing in person or helping your boss prepare for a meeting (and his attempts to climb the ladder or stayed employed).
This can be a great opportunity to showcase your contributions and value to the organization, and can serve as an opening for additional budget and career opportunities. But before you make your play, you should know who you are playing with. Here are some "street-smarts" that will help you navigate and understand some of the basic roles of the players are in the "playground."
So what exactly do they do?
Generally, each audit committee's objectives will vary by organization. An "Audit Committee Charter" is used to define what the audit committee's role is at the particular organization. Many companies, especially publicly-traded and large not-for-profits, will include a copy of the charter on their website. Generally, the committee is composed of independent directors who monitor the integrity of financial information, the hiring and oversight of the CPA firm performing the annual financial statement audit, the hiring and performance of the internal audit department and general compliance with laws and regulations.
In some companies the committee is also responsible for risk oversight, although as the risk function has evolved, some companies have established a separate risk committee. Because of the above responsibilities and their expertise in monitoring risk and controls, a number of companies assign cybersecurity oversight - especially testing effectiveness of the cybersecurity program to this committee.
Who are these people?
Appointed by the full board or nominating committee, the audit committee is usually comprised of three to six outside (non-management) directors. Typically, directors have experience in executive management functions at other companies (like other CEOs or CFOs), represent key investors or investment groups (finance and attorney types), have significant insights or relationships with key stakeholders (can refer business to the organization) or provide relevant subject matter expertise (technology).
Given the rapid evolution and complexity of business models, audit committees sometimes appoint "associate" members who can supplement existing committee knowledge and who can represent the committee's interests and concerns. Generally, for publicly-listed companies, at least one audit committee member should be designated as a financial expert - someone who has the appropriate background to understand and if needed question the integrity of the financial statements. One audit committee member is also designated as the chair of the committee. And yes, if you look at your organization's filings with the SEC you can see their bios, why they chosen, and their compensation.
Sign up for CIO Asia eNewsletters.